[ale] Switching from Server 2003 to Samba

Jim Kinney jim.kinney at gmail.com
Sat Nov 15 14:07:23 EST 2014


Keep your eye on freeipa for user authentication.
www.freeipa.org/page/Windows_authentication_against_FreeIPA
On Nov 15, 2014 10:54 AM, "Edward Holcroft" <eholcroft at mkainc.com> wrote:

> Update: on Samba and distro change
>
> This is all working now with much thanks to the initial advice gleaned on
> this list.
>
> I was bashing my ahead against some inexplicable issues and in desperation
> I decided to try my Samba recipe on CentOS 7. As a result, I've decided
> that this will be my platform of choice for this particular deployment. I'm
> no guru and don't want to knock Ubuntu (which I run on all my Amazon
> servers and many in-house servers), but it just seems like the Ubuntu folks
> have made some little adjustments to things like certain file locations
> which unless you really, really know what to look for, things break and
> cannot be fixed by a lesser mortal like me. I never managed to resolve the
> "getent" issue on Ubuntu that I asked about previously. That was the
> deciding factor in the switch to CentOS.
>
> Not trying to start a flame war, just sharing my experience that if anyone
> else tries this, they may get better mileage on CentOS, unless they're an
> expert, unlike me. Actually it was great to learn a little bit about a
> different distro, since Ubuntu had become my default go-to since until this
> Samba experience, given it has "just worked" for me in the past. It's kinda
> interesting that I switched my desktop to Debian about 18 months back 'cos
> Ubuntu (GUI desktop) broke so often I could hardly get my work done -
> seemed like there was a regression in every second darn update. Is there a
> pattern here? OK, maybe I am trying to start a flame war.
>
> The only issue that really messed me around on CentOS was firewalld. Took
> me a day to realize that's what was stopping me from adding Windows ACL's
> to my my shares. I was a little surprised to find a firewall running that I
> had not installed or activated. Oh well, I guess it's just part of a
> minimal CentOS installation. Stopped firewalld and never looked back. Oh
> yes, there was one other issue: CentOS struggled to install on our old HP
> ML350 servers due to the RAID card - had to add a kernel parameter to load
> the older drivers.
>
> Anyway, now that my shares are working with Windows ACL's, my next step is
> backup. I've opted for simple crontab with rsync  to USB HDD's, along with
> autofs to mount the drives appropriately when the office manager replaces
> them each day. I still need to build a nice, elegant script for this: for
> now, it's ugly but it works.
>
> And then, as a nice to have, I believe there's a way to get an equivalent
> of Windows shadow copy on Linux. I'll be taking a look at that at some
> point in the future.
>
> This Samba setup, now that it appears to be viable, serves to remove
> Windows Server 2003 from our 18 regional offices! I will feel a LOT more
> comfortable knowing that we have Linux under the hood out there.
>
> And one day ... one day ... I hope to Linux replace our Active Directory
> in its entirety. I cannot wait for our next Micro$haft audit so that I can
> rub their noses in why we suddenly have such a steep reduction in Windows
> servers. bwaahaahaa ...
>
> cheers and thanks again for all the help.
> ed
>
> On Fri, Oct 3, 2014 at 2:41 PM, Edward Holcroft <eholcroft at mkainc.com>
> wrote:
>
>> OK, so here's where this things stands right now.
>>
>> I have Ubuntu 14.04 running Samba 4.1 as a member server on my AD domain.
>> I can access Windows shares, including home shares from my Windows clients
>> using Windows ACL's as if accessing a Windows server.
>>
>> The Samba wiki, starting here, was very helpful:
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> Now, I've encountered a glitch that I hope someone can help me with:
>>
>> If I do a gentent passwd, I am able to see all the users from my AD,
>> EXCEPT the ones that I have created since joining this server to the
>> domain. Is there I command I need to run to update the user list on the
>> Ubuntu box? I don't recall doing anything special before. Just installed
>> libnss-winbind and lipam-winbind and bang, getent passwd just worked, fully
>> populated with AD users.
>>
>> What is interesting, is that getent group, shows these newly created
>> users as added to appropriate groups, which makes it all the more
>> perplexing to me.
>>
>> If I do a wbinfo -u I get a list of all domain users, including the newly
>> created ones.
>>
>> If I do id smbtest1, I get "no such user". Other users (all those created
>> before today) work fine e.g. id eholcroft
>> uid=10019(eholcroft) gid=10004(domain users) groups=10004(domain
>> users),10057(atlanta),10067(accessusers),10047(mkastaff),10078(it),10162,10001(BUILTIN\users)
>>
>>
>> This seems to be the only issue standing between me and getting my shares
>> fully functional. All users can access shares as expected, EXCEPT those
>> that do not show up in getent passwd - for these users, the Windows client
>> gets stuck on username and password prompt when trying to access a share
>> (providing the credentials does not help)
>>
>> cheers
>> ed
>>
>>
>> On Thu, Jul 10, 2014 at 3:53 PM, Edward Holcroft <eholcroft at mkainc.com>
>> wrote:
>>
>>> All,
>>>
>>> The time has finally come to ditch our Micro$haft file servers as
>>> another increment towards weaning ourselves of our Windows habit. For now,
>>> I have to keep Active Directory in the picture, although I have managed to
>>> reduce the AD server footprint from 18 servers down to 4. Corporate mindset
>>> issues demand small steps.
>>>
>>> Question: Is it better to go with an "appliance solution" such as
>>> FreeNAS vs. distro+Samba?
>>>
>>> I played around with FreeNAS a bit and while it has great automation of
>>> things like AD integration (which I will need to do for now) and a great
>>> web interface, it seems less flexible when it comes to e.g. backup options.
>>> It seems a simple Ubuntu/Samba box gives me many options on how to handle
>>> our daily backups to USB, while FreeNAS can potentially close doors to me,
>>> or at least make things harder. That's just one example that I ran into.
>>>
>>> So, I'd like to hear from you about experiences/pros-cons of
>>> appliance-type options vs the manual way. I've tried both at a simple test
>>> level. They both seem viable and I really want to like FreeNAS, but just
>>> cannot seem to get comfortable with it - little glitches seem to pop up
>>> that have the potential to be major sticking points. So right now I'm
>>> leaning towards distro+Samba.
>>>
>>> Feel free to suggest other options besides the two mentioned here.
>>> Whatever solution I deploy I have to be able to use Windows ACL's on the
>>> shares ... for now.
>>>
>>> cheers
>>> ed
>>>
>>> --
>>> Edward Holcroft | Madsen Kneppers & Associates Inc.
>>> 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
>>> O (770) 446-9606 | M (770) 630-0949
>>>
>>
>>
>>
>> --
>> Edward Holcroft | Madsen Kneppers & Associates Inc.
>> 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
>> O (770) 446-9606 | M (770) 630-0949
>>
>
>
>
> --
> Edward Holcroft | Madsen Kneppers & Associates Inc.
> 11695 Johns Creek Parkway, Suite 250 | Johns Creek, GA 30097
> O (770) 446-9606 | M (770) 630-0949
>
> MADSEN, KNEPPERS & ASSOCIATES USA, MKA Canada Inc. WARNING/CONFIDENTIALITY
> NOTICE: This message may be confidential and/or privileged. If you are not
> the intended recipient, please notify the sender immediately then delete it
> - you should not copy or use it for any purpose or disclose its content to
> any other person. Internet communications are not secure. You should scan
> this message and any attachments for viruses. Any unauthorized use or
> interception of this e-mail is illegal.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20141115/ab2dc9b1/attachment.html>


More information about the Ale mailing list